Mark Esler

Could libpng maintainers or the reporter please state if they believe libpng introduces this issue? From the conversation, it appears to be a non-issue. fwiw, I created a clean Ubuntu 20.04 vm and was not able to reproduce the PoC fault: eslerm@sec-focal-amd64:~/libpng-code$ ./pngimage ~/pngimage_npd_png_setup_paeth_row2496 && echo $? 0 If the reporter or project state that this is not a vulnerability in libpng, I will ask Red Hat to revoke their assignment of CVE-2022-3857 for this issue https://bugzilla.redhat.com/show_bug.cgi?id=2142600...

Could libpng maintainers or the reporter please state if they believe libpng introduces this issue? From the conversation, it appears to be a non-issue. fwiw, I created a clean Ubuntu 20.04 vm and was not able to reproduce the PoC fault: eslerm@sec-focal-amd64:~/libpng-code$ ./pngimage ~/pngimage_npd_png_setup_paeth_row2496 && echo $? 0 If the reporter or project state that this is not a vulnerability in libpng, I will ask Red Hat to revoke their assignment of CVE-2022-3857 for this issue https://bugzilla.redhat.com/show_bug.cgi?id=2142600...

As Salvatore points out, this issue (CVE-2017-15019) appears to be addressed with https://sourceforge.net/p/lame/svn/6386/tree/trunk/lame/mpglib/interface.c?diff=59e1c885dab7b929b5817e2e:6385